GNU/Linux in a Sweat Due to This Critical RCE Vulnerability

Today brings new developments regarding the critical security flaw recently discovered in GNU/Linux systems. This vulnerability, which has sent shockwaves through the community, allows for unauthenticated remote code execution (RCE). It’s the kind of issue that gives system administrators cold sweats.

The flaw was identified by security researcher Simone Margaritelli, also known as @evilsocket. It potentially affects all GNU/Linux systems using the cups-browsed service, part of the CUPS printing system. Several Common Vulnerabilities and Exposures (CVE) identifiers have been assigned to this vulnerability: CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177.

This vulnerability has been rated with an initial CVSS score of 9.9 out of 10, reflecting its severity. The most alarming aspect of this situation is that the flaw may have been present in the code for over a decade. While you were quietly playing Minecraft in your childhood or coding your first “Hello World,” this vulnerability lurked in the shadows, waiting for its moment.

The vulnerability allows an unauthenticated remote attacker to silently replace the IPP URLs of existing printers or to install new ones, which can lead to arbitrary code execution when you initiate a print job from your computer. The attack can be executed by sending a UDP packet to port 631, which is open on all interfaces by default, or by spoofing mDNS/zeroconf announcements on the local network.

Affected systems include most GNU/Linux distributions, certain BSD systems, and potentially other UNIX-based systems using CUPS and cups-browsed. Even devices like Google ChromeOS could be impacted.

But why is it so complicated to fix this vulnerability? It seems the issue is deeply rooted in the very operation of cups-browsed and how it manages the discovery and addition of network printers. According to Margaritelli, several components of the CUPS system are affected, including cups-browsed, libppd, libcupsfilters, and cups-filters. Consequently, multiple parts of the code would need to be corrected to completely eliminate the vulnerability.

After all, since no one has ever really managed to get their printer working properly under Linux, it’s not too concerning… Just kidding!

Of course, as always, this situation raises important questions about vulnerability management in the open-source world: How can we improve the detection and correction process for flaws? How can we ensure that developers take security reports seriously?

It must be noted that communication surrounding this vulnerability has not been particularly smooth. Margaritelli expressed frustration over some developers who seemed more inclined to defend their code than to acknowledge the problem. This has delayed the implementation of a fix.

So, what should be done?

It is recommended to:

  • Disable and remove the cups-browsed service if it is not needed.
  • Update the CUPS package on your systems as soon as a patch is available.
  • Block all traffic to UDP port 631 and possibly all DNS-SD traffic if you are not using zeroconf.
  • Minimize the exposure of your systems on the internet.

While this story is certainly stressful, it serves as a reminder that security is a constant battle. Stay vigilant, keep your systems updated, and remember: when in doubt, avoid executing random system commands!

With that, I’ll return to monitoring my logs.

Mohamed SAKHRI
Mohamed SAKHRI

I'm the creator and editor-in-chief of Tech To Geek. Through this little blog, I share with you my passion for technology. I specialize in various operating systems such as Windows, Linux, macOS, and Android, focusing on providing practical and valuable guides.

Articles: 1725

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked *